Merge pull request #5126 from JacobBarthelmeh/crl

do not error out on CRL next date if using NO_VERIFY
2022-05-12 08:44:29 -07:00 · 2022-05-12 08:44:29 -07:00 · 7a95be1a97
commit 7a95be1a97
parent 9ca1206bf3 531120131a
3 changed files with 10 additions and 7 deletions
--- a/src/crl.c
+++ b/src/crl.c
@ -497,7 +497,7 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type,
 #endif

    InitDecodedCRL(dcrl, crl->heap);
-    ret = ParseCRL(dcrl, myBuffer, (word32)sz, crl->cm);
+    ret = ParseCRL(dcrl, myBuffer, (word32)sz, verify, crl->cm);
    if (ret != 0 && !(ret == ASN_CRL_NO_SIGNER_E && verify == NO_VERIFY)) {
        WOLFSSL_MSG("ParseCRL error");
    }
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@ -31566,7 +31566,7 @@ static int PaseCRL_CheckSignature(DecodedCRL* dcrl, const byte* buff, void* cm)

 #ifndef WOLFSSL_ASN_TEMPLATE
 static int ParseCRL_CertList(DecodedCRL* dcrl, const byte* buf,
-        word32* inOutIdx, int sz)
+        word32* inOutIdx, int sz, int verify)
 {
    word32 oid, dateIdx, idx, checkIdx;
    int version;
@ -31616,7 +31616,8 @@ static int ParseCRL_CertList(DecodedCRL* dcrl, const byte* buf,
 #endif
    {
 #ifndef NO_ASN_TIME
-        if (!XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, AFTER)) {
+        if (verify != NO_VERIFY &&
+                !XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, AFTER)) {
            WOLFSSL_MSG("CRL after date is no longer valid");
            return CRL_CERT_DATE_ERR;
        }
@ -31927,7 +31928,8 @@ enum {
 #endif

 /* parse crl buffer into decoded state, 0 on success */
-int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
+int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, int verify,
+        void* cm)
 {
 #ifndef WOLFSSL_ASN_TEMPLATE
    Signer*      ca = NULL;
@ -31956,7 +31958,7 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
        return ASN_PARSE_E;
    dcrl->sigIndex = len + idx;

-    if (ParseCRL_CertList(dcrl, buff, &idx, dcrl->sigIndex) < 0)
+    if (ParseCRL_CertList(dcrl, buff, &idx, dcrl->sigIndex, verify) < 0)
        return ASN_PARSE_E;

    if (ParseCRL_Extensions(dcrl, buff, &idx, dcrl->sigIndex) < 0)
@ -32079,7 +32081,8 @@ end:
    #ifndef NO_ASN_TIME
        if (dcrl->nextDateFormat != 0) {
            /* Next date was set, so validate it. */
-            if (!XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, AFTER)) {
+            if (verify != NO_VERIFY &&
+                 !XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, AFTER)) {
                WOLFSSL_MSG("CRL after date is no longer valid");
                ret = CRL_CERT_DATE_ERR;
            }
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@ -2271,7 +2271,7 @@ WOLFSSL_LOCAL int VerifyCRL_Signature(SignatureCtx* sigCtx,
                                      word32 signatureOID, Signer *ca,
                                      void* heap);
 WOLFSSL_LOCAL int  ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz,
-                            void* cm);
+                            int verify, void* cm);
 WOLFSSL_LOCAL void FreeDecodedCRL(DecodedCRL* dcrl);